Question about certificate entity templating in policies


I have setup cert auth with a CA. Client machines will authenticate to Vault using their keys, and will have a policy that let each machine write secrets on a path that matches their respective CN. The secrets engine is KV2.

As for the create/update policy path , this works:


However, this does not work:


According to the documentation I expected that this would work with .metadata.common_name, instead of .name.

What am I missing?



There is currently a bug with cert auth where metadata is not written. It can be found over here.
Sadly enough until it’s fixed, cert auth can’t be used.

Thanks. Not sure if it’s the same thing though, as I’m actually using it. I cannot write to the path with any certificate which doesn’t match the CN in the path, which is what is supposed to happen. I just want to be sure I understand correctly why it’s working.